Goals

By the end of this tutorial, you will learn how to:

  • Reference data from previous actions
  • Use the Reshape action to organize data
  • Use if-conditions to control the flow of your workflow
  • Configure the output schema of a workflow

Prerequisites

Tutorial

1

Organize data using the Reshape action

The JSON object returned from the Search URL with VirusTotal action can be quite verbose, for example:

Let’s use the Reshape action along with JSONPath match to extract then organize the data we need for other actions.

Rename the Reshape action to Extract VirusTotal report and configure it’s inputs with the following expressions:

value:
    url: ${{ ACTIONS.search_url_with_virustotal.result.data.data.attributes.url }}
    stats: ${{ ACTIONS.search_url_with_virustotal.result.data.data.attributes.last_analysis_stats }}

The ACTIONS expression namespace contains all the results from previous actions. To get the result from a previous action, you call ACTIONS.<action key>.result, where <action key> is the snake-cased name of the action.

For example, the action key for an action named “Search URL with VirusTotal” is search_url_with_virustotal.

2

Add list comments action

Add the List VirusTotal comments on URL action to your workflow, then configure it’s inputs with the following expression:

url: ${{ ACTIONS.extract_virustotal_report.result.url }}
3

Define an if-condition on list comments

As an analyst, you might want to view comments from the VirusTotal community on a potentially malicious URL. To reduce noise, let’s list these comments only if the URL has been flagged as malicious more than 10 times.

You can do this by adding a Run If condition to the List VirusTotal comments on URL action:

${{ ACTIONS.extract_virustotal_report.result.stats.malicious > 10 }}
4

Configure output data

Let’s configure the workflow to return specific output data on completion. Click on the canvas to view workflow settings, then navigate to the Schema tab and set up the Output Schema as follows:

url: ${{ ACTIONS.extract_virustotal_report.result.url }}
comments: ${{ ACTIONS.list_virustotal_comments_on_url.result }}

The ability to normalize a workflow’s output data becomes more important when you start using child workflows.

Next Steps

Check out the next tutorial on Actions Registry to learn how to use, edit, and maintain integrations in your workflows.